launchpad-reviewers team mailing list archive

[Dimitri John Ledkov <mp+452749@xxxxxxxxxxxxxxxxxx>]

> Note that I only just last week dropped debian-cd support for jigdo, which has
> a dependency on md5sums (at least in the implementation we were using).  I
> expect there to be a long tail of things that reference md5sums even if maybe
> they don't depend on them for verification which will need to be tracked down
> and fixed.  So the start of the N cycle seems like a good time to try this
> out.

Jigdo is useful for images with a pool. And all our installer images are live ones. And the ones that still have a useful Jigdo is for the sources isos.

Looking at Jigdo template it has all files hashed by md5, but it does check the final template and final assembled iso sha256.

Presence of tempalte md5sum casues jigdo to check that and ignore sha256sum.

So that's one more MITM attach, and one more reason to remove md5 support.
Also you probably want to republish our jigo templates _without_ md5sum for it to correctly assert on sha256s instead.

This is one more reason why we should have been removing md5 a long time ago, as we are accidentatly publishing things that are trivial to MITM attack.

Jigdo had support for sha256 since at least focal.

-- 
https://code.launchpad.net/~xnox/launchpad/+git/launchpad/+merge/452749
Your team Launchpad code reviewers is requested to review the proposed merge of ~xnox/launchpad:only-sha256 into launchpad:master.